Skip to content
This repository has been archived by the owner on Jun 5, 2023. It is now read-only.

Update CSCC Notifier to send resource name in supported format #3803

Open
gkowalski-google opened this issue Aug 12, 2020 · 2 comments
Open

Update CSCC Notifier to send resource name in supported format #3803

gkowalski-google opened this issue Aug 12, 2020 · 2 comments
Assignees
@hazyd
Labels
module: notifier priority: p3 Desirable enhancement or minor bug fix triaged: yes
Milestone
Forseti Release v...

Comments

@gkowalski-google
Copy link
Collaborator

gkowalski-google commented Aug 12, 2020
edited

Story

The Forseti CSCC Connector finding details page can display the project and asset at the top of the page. This will provide a link to more information on the resource, including the resource data.

Proposed Solution

The CSCC supported resource name is very similar to the CAI resource name. The CAI resource name is already stored in the gcp_inventory table, and the resource_name in the violations table should be the same (this needs to be confirmed).

The CSCC format is slightly different than the CAI format:

Cluster:
- CAI Format: //container.googleapis.com/projects/%s/(zones|regions|locations)/%s/clusters/%s
- CSCC Format: //container.googleapis.com/projects/%s/zones/%s/clusters/%s

Docker Image (Strip prefix):
- CAI Format: //containerregistry.googleapis.com/us.gcr.io/...
- CSCC Format: us.gcr.io/...

ALL Compute Types:
- CAI Format: //compute.googleapis.com/.../compute-asset-display-name
- CSCC Format: //compute.googleapis.com/.../compute-asset-numerical-id
 
Managed Zone and Policy:
- CAI Format: //dns.googleapis.com/projects/project-asset-display-name/...
- CSCC Format: //dns.googleapis.com/projects/project-asset-numerical-id/...

Clusters

For the clusters, CSCC is expecting the zone to always be included in the resource name (not location or region). The cluster zone should be available in the resource_data from the violation.

Docker Images

This should be pretty straight forward, just strip the domain from the resource_name.

Compute

Will need to get the number from the resource_data and replace the id. Do the project ids needs to be replaced with the project numbers (along with folders and any other resource that is in the hierarchy)?

DNS zone and policy

Need to replace the name with the id.

Questions

  • How to handle IAM policy?

Implementation Details

Forseti currently sends the resource full_name as the resource_name parameter to CSCC. This line will need to be changed to use the resource_name property of the violation instead, e.g. violation.get('resource_name'). Depending on the resource type, some modifications to the resource name will need to be made to align with the above.

Acceptance Criteria

Verify that the CSCC integration is still working and that the finding details page shows the project and asset.
@gkowalski-google gkowalski-google added module: notifier priority: p3 Desirable enhancement or minor bug fix triaged: yes labels Aug 12, 2020
@zachahuy02
Copy link

Ideally, it should also send the severity and description so that the finding from Forseti to CSCC matches the format from Security Health Analytics.

@gkowalski-google
Copy link
Collaborator Author

Hi @zachahuy02, thanks for the feedback. We are looking to include the severity for Config Validator violations in this ticket: #3522. Can you provide more info on what description you are referring to? Are you referring to the violation_message from the Forseti violations table?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@hazyd hazyd

Labels
module: notifier priority: p3 Desirable enhancement or minor bug fix triaged: yes
Projects
None yet
Milestone
Forseti Release v2.26.0
Development

No branches or pull requests
3 participants
@gkowalski-google @hazyd @zachahuy02